WebAPI/Security/Idle: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:


Brief purpose of API: Notify an app if the user is idle
Brief purpose of API: Notify an app if the user is idle
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program)
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).


Inherent threats:
Inherent threats:
Line 13: Line 13:


== Regular web content (unauthenticated) ==
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: IM chats that need to detect when user is AFK.
Use cases for unauthenticated code: N/A


Authorization model for normal content: None
Authorization model for normal content: None
Line 23: Line 23:
* Provide only page idle not system idle, where privacy is a concern
* Provide only page idle not system idle, where privacy is a concern


== Trusted (authenticated by publisher) ==
== Privileged (authenticated by publisher) ==
Use cases for authenticated code: As per unauthenticated
Use cases for authenticated code: N/A


Authorization model: Implicit
Authorization model: None


Potential mitigations: Implicit
Potential mitigations: None


== Certified (vouched for by trusted 3rd party) ==
== Certified (vouched for by trusted 3rd party) ==

Revision as of 05:34, 4 August 2012

Name of API: Idle API Reference: https://wiki.mozilla.org/WebAPI/IdleAPI

Brief purpose of API: Notify an app if the user is idle General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).

Inherent threats:

  • Privacy implication
    • signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
    • Could be used by a workplace to monitor activity by monitoring system idle

Threat severity: Low

Regular web content (unauthenticated)

Use cases for unauthenticated code: N/A

Authorization model for normal content: None

Authorization model for installed web content: None

Potential mitigations:

  • Exact time user goes idle can be fuzzed so as to reduce correlation
  • Provide only page idle not system idle, where privacy is a concern

Privileged (authenticated by publisher)

Use cases for authenticated code: N/A

Authorization model: None

Potential mitigations: None

Certified (vouched for by trusted 3rd party)

Use cases for certified code: As per unauthenticated

Authorization model: Implicit

Potential mitigations: Implicit

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Idle&oldid=457783"